Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

June 2014 Volume 14 Issue 6
aishealth.com

REPORT ON PATIENT PRIVACY delivers timely news and business strategies for safeguarding patient privacy and data security.

In apparent defiance of final HITECH regulations, many HIPAA covered entities (CEs) are not offering patients the option of receiving an electronic copy of their medical records, let alone in the “form and format” of their choosing, as has been required since January 2013.

Some are imposing fees for copies and applying limits on what they will provide that do not appear to be in line with regulations. Health systems with multiple hospitals have implemented the access requirements inconsistently across their medical centers, meaning some may be in compliance while others are not.

All of this is evident on the websites of covered entities, in their pages that outline the policies and procedures for patients to obtain their protected health information (PHI) — so officials from the Office for Civil Rights (OCR) can readily see it also. An OCR spokeswoman tells RPP “we can and we have” brought enforcement actions against CEs who violate the access requirements.

Patient advocates, medical records providers, privacy experts and others also tell RPP of a multitude of likely unlawful hoops imposed by CEs that people are jumping through to try to get their records.
“Unless you are behind the curtain like I am or unless you start finding the right stones to turn over, you don’t ever get to see the horror show that really exists in various degrees across the country,” says Chris Carpenter, director of operations for Diversified Medical Record Services, Inc. (DMRS), a business associate that processes records requests for hospitals and physicians offices nationwide.

To view the full article, please visit Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

Health Care and You: Consumer Resources

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

Health care issues, and patients rights, are in the forefront of the news. However, along with the accurate information, there is also confusing and inaccurate information being produced.

The good news for patients and consumers is that they can find accurate information presented in easily understandable terms at the Department of Health and Human Services (HHS) website (www.hhs.gov).  The HHS Office for Civil Rights (OCR) has produced various YouTube videos, fact sheets and brochures that provide up-to-date guidance on an array of topics.

For example, I watched the just-released HHS/OCR video titled “Your New Rights Under HIPAA” (HIPAA stands for the Health Insurance Portability and Accountability Act).  The video highlights some of the important new rights for patients under HIPAA (http://www.youtube.com/watch?v=3-wV23_E4eQ).

The video explains, among other points, that:

  • patients are entitled to get an electronic copy of their information (and that doctors might charge a small fee for copying the records or producing a thumb drive);
  • patients can ask that their doctor send the patients’ medical information to a friend or family member who’s involved with the patients’ medical care;
  • there are new tougher limits on the sale of health information, including the fact that this can’t be done (with a few exceptions) without getting permission from the patient;
  • parents and guardians now have an easier way to share a child’s immunization information with the child’s school; and
  • Privacy Policies of doctors should include information about the above (and other) new rights.

OCR has produced 10 other mini-videos on health issues; they can be found at: http://www.youtube.com/user/USGOVHHSOCR.  They have also produced four consumer fact sheets (available in eight different languages).  The fact sheets can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers.  The fact sheets are handy references guides that are worth reading.

People need to be pro-active to learn how they can access and control their health information, have it shared or not shared as they wish and better protect their privacy.  The HHS/OCR materials are excellent resources that will help everyone do so.

Courtesy of Privacy Made Simple

Health-care sector vulnerable to hackers, researchers say

From the Wall Street Journal article by Robert O’Harrow Jr. titled Health-care sector vulnerable to hackers, researchers say

“As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.

Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.

A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.

“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.””

Sizing Up De-Identification Guidance, Experts Analyze HIPAA Compliance Report (quotes PPR)

To view the full article by Marianne Kolbasuk McGee, please visit: Sizing Up De-Identification Guidance, Experts Analyze HIPAA Compliance Report.

The federal Office of Civil Rights (OCR), charged with protecting the privacy of nation’s health data, released a ‘guidance’ for “de-identifying” health data. Government agencies and corporations want to “de-identify”, release and sell health data for many uses. There are no penalties for not following the ‘guidance’.

Releasing large data bases with “de-identified” health data on thousands or millions of people could enable break-through research to improve health, lower costs, and improve quality of care—-IF “de-identification” actually protected our privacy, so no one knows it’s our personal data—-but it doesn’t.

The ‘guidance’ allows easy ‘re-identification’ of health data. Publically available data bases of other personal information can be quickly compared electronically with ‘de-identified’ health data bases, so can be names re-attached, creating valuable, identifiable health data sets.

The “de-identification” methods OCR proposed are:

  • -The HIPAA “Safe-Harbor” method:  if 18 specific identifiers are removed (such as name, address, age, etc, etc), data can be released without patient consent. But .04% of the data can still be ‘re-identified’
  • -Certification by a statistical  “expert” that the re-identification risk is “small” allows release of data bases without patient consent.

o   There are no requirements to be an “expert”

o   There is no definition of “small risk”

Inadequate “de-identification” of health data makes it a big target for re-identification. Health data is so valuable because it can be used for job and credit discrimination and for targeted product marketing of drugs and expensive treatment. The collection and sale of intimately detailed profiles of every person in the US is a major model for online businesses.

The OCR guidance ignores computer science, which has demonstrated ‘de-identification’ methods can’t prevent re-identification. No single method or approach can work because more and more ‘personally identifiable information’ is becoming publically available, making it easier and easier to re-identify health data.  See: the “Myths and Fallacies of “Personally Identifiable Information” by Narayanan and Shmatikov,  June 2010 at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf Key quotes from the article:

  • -“Powerful re-identification algorithms demonstrate not just a flaw in a specific anonymization technique(s), but the fundamental inadequacy of the entire privacy protection paradigm based on “de-identifying” the data.”
  • -“Any information that distinguishes one person from another can be used for re-identifying data.”
  • -“Privacy protection has to be built and reasoned about on a case-by-case basis.”

OCR should have recommended what Shmatikov and Narayanan proposed:  case-by-case ‘adversarial testing’ by comparing a “de-identified” health data base to multiple publically available data bases to determine which data fields must be removed to prevent re-identification. See PPR’s paper on “adversarial testing” at: http://patientprivacyrights.org/wp-content/uploads/2010/10/ABlumberg-anonymization-memo.pdf

Simplest, cheapest, and best of all would be to use the stimulus billions to build electronic systems so patients can electronically consent to data use for research and other uses they approve of.  Complex, expensive contracts and difficult ‘work-arounds’ (like ‘adversarial testing’) are needed to protect patient privacy because institutions, not patients, control who can use health data. This is not what the public expects and prevents us from exercising our individual rights to decide who can see and use personal health information.

Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?

Re: HIPAA Auditor Involved in Own Data Breach

OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.

You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”

KPMG absolved itself of doing any harm:

  • “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
  • “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”

Then KPMG prescribed its own remedy:

  • “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.

This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.

Time for Congressional oversight?

Experts Forecast Top Seven Trends in Healthcare Information Privacy for 2011

A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011. These experts suggest that as health information exchanges take form, millions of patient records—soon to be available as digital files—will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.

These predictions are supported by the recent Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security, published November 2010, which found that data breaches of patient information cost the healthcare industry $6 billion annually; protecting patient data is a low priority for hospitals; and the healthcare industry lags behind the recently enacted HITECH laws…

Industry-Wide Experts Share Their Opinions and Insight…

Dr. Deborah Peel, M.D., practicing physician and founder of Patient Privacy Rights; the nation’s health privacy watchdog

“2011 will be the year that Americans recognize they can’t control personal health information in health IT systems and data exchanges. Will 2011 be the year that data security and privacy are the top of the nation’s agenda? I hope so. The right to privacy is the essential right of individuals in vibrant Democracies. If we don’t do it right in healthcare, we won’t have any privacy in the Digital Age.”…

HHS Withdraws Controversial Breach Notification Rule under HITECH

A recent HHS decision to withdraw the HIPPA final “breach notification” rule drew praise from patient privacy advocates, who cited the need for stronger privacy protections…

The Patient Privacy Rights Foundation, a privacy watchdog organization, called the move “a huge step in the right direction,”and reiterated its objections to the “harm standard.”

HHS quietly withdraws HIPAA breach-notification rule

Following a firestorm of criticism from privacy advocates who say federal officials gave too much leeway to healthcare organizations that inadvertently disclose protected health information, HHS has without fanfare withdrawn its HIPAA “breach notification” final rule that had been submitted to the White House for budgetary approval.

The move was “to allow for further consideration, given the department’s experience to date in administering the regulations,” the HHS Office for Civil Rights posted on its website late Wednesday. “This is a complex issue and the administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” OCR explained…

…The decision thrilled the Patient Privacy Rights Foundation, headed by noted privacy watchdog Dr. Deborah Peel, which had been adamantly opposed to the so-called “harm standard.”

See the PPR Press Release supporting this decision.

PPR impressed with HHS’ privacy approach

Secretary of Health and Human Services (HHS), the Director of the Office of Civil Rights (OCR), and the National Coordinator for HIT all made very strong, pro-privacy statements at the press conference today announcing the Notice of Proposed Rulemaking (NPRM) titled: 45 CFR Parts 160 and 164, RIN: 0991-AB57, Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act.

Signaling a major shift in direction for the Administration and HHS’ Secretary Sebelius said “It’s important to understand this announcement of the NPRM…. is part of an Administration-wide commitment to make sure no one has access to your personal information unless you want them to.”

Patient Privacy Rights heartily congratulates the Administration and Sec. Sebelius for this new pro-privacy, patient-centered approach to personal health information (PHI).

We applaud Secretary Sebelius’ clear acknowledgment that health IT systems should empower patients to control PHI. Putting patients in control of PHI is the only route to prevent wasting billions in stimulus funds on HIT systems that destroy privacy and to stop the theft, misuse, and sale of PHI in today’s primitive HIT systems and data exchanges.

During her remarks, OCR Director Verdugo said, “the benefits of HIT will only be fully realized if health information is kept private and secure at all times.”

And finally Dr. Blumenthal stated, “we want to make sure it is possible for patients to have maximal control over PHI.” He also referred to the Consumer Choices Technology Hearing last week, which demonstrated consent tools that enable patients to control the use and disclosure of their health information from EHRs and for HIE.

Hopefully the NPRM actually gives Americans the control over access to personal information Secretary Sebelius said the Administration is committed to. We are analyzing the 234 page Notice of Proposed Rulemaking (NPRM), and will post our comments on the NPRM as soon as we can.

Below see the Press Conference announcing the Proposed Rule.